On Mon, Jun 30, 2025 at 19:25:05 +0200, Peter Krempa wrote:
> From: Peter Krempa <pkre...@redhat.com>
> 
> Key encipherment is required only for RSA key exchange algorithm. With
> TLS 1.3 this is not even used as RSA is used only for authentication.
> 
> Since we can't really check when it's required ahead of time drop the
> check completely. GnuTLS will moan if it will not be able to use RSA
> key exchange.
> 
> In commit 11867b0224a2 I tried to relax the check for some eliptic
> curve algorithm that explicitly forbid it. Based on the above the proper
> solution is to completely remove it.
> 
> Resolves: https://issues.redhat.com/browse/RHEL-100711
> Fixes: 11867b0224a2b8dc34755ff0ace446b6842df1c1
> Signed-off-by: Peter Krempa <pkre...@redhat.com>
> ---

I've tested this by creating a client certificate with following info:

organization = test
cn = HOST
tls_www_server
signing_key

(thus missing 'encryption_key' field)

Attempting to use currently relased libvirt results in:

 $ virsh -c qemu+tls://speedmetal/system list
 error: failed to connect to the hypervisor
 error: Certificate /etc/pki/libvirt/clientcert.pem usage does not permit key 
encipherment

Whereas with patched libvirt:

 $ ./build/libvirt/gcc/tools/virsh -c qemu+tls://speedmetal/system list
  Id   Name   State
 ----------------------
  1    ha     running

Reply via email to